webinar: behavioral shifts in recent ddos attacks that should get you worried
TRANSCRIPT
BEHAVIORAL SHIFTS IN RECENT ATTACKS THAT SHOULD GET YOU WORRIED
Uncover the best practices for defense without sacrificing performance
Instart Logic has partnered with Verisign to mitigate the risk of DDoS attacks
✔ 24x7 monitoring✔ Superior attack mitigation ✔ Performance guaranteedFast application delivery performance
Advanced DDoS mitigation and scrubbing
Agenda
• Verisign Analysis– Challenges in securing applications– DDoS overview– Quarterly DDoS trend analysis
• Instart Logic Analysis– Need for end to end security– Types of attacks– Recent examples
• Q&A
Rohit Kinra
Director - Product TechnologyVerisign Security Services
Justin Fitzhugh
VP, Technical Operations
Fawad Shaikh
Technical Leader - Security
© 2016 VeriSign, Inc. All rights reserved
BEHAVIORAL SHIFTS IN RECENT DDoS
ATTACKS THAT SHOULD GET YOU WORRIED
Rohit Kinra
Director, Product Technology, Verisign Security Services
March 31, 2016
• Founded in 1995, listed NASDAQ:VRSN 1998
• Two Businesses:
– Domain Name Services
– Network Intelligence and Availability• Headquartered in Reston, VA
• 2012 Revenues: $874 million
• S&P 500 Company
• 1,100 Employees
• VerisignInc.com
Our CompanyABOUT VERISIGN• Founded in 1995, listed NASDAQ:VRSN 1998
• Two Businesses:
• Domain Name & Registry Services
• Security Services
• Headquartered in Reston, VA
• 2015 Revenues: $1.06 Billion
• S&P 500 Company
• 1,000+ Employees (as of Dec. 31, 2015)
• Verisign.com
Mission“Enable the world to connect online with reliability and confidence,
anytime, anywhere.” Jim Bidzos, President and CEO
3
Verisign Public
SECURING YOUR APPLICATION IS CRITICAL
6Verisign Public
APPLICATION
DOWNTIME
AFFECTS...Reputation & Brand
Supply Chain
Online Revenue
Productivity & Communications
Service & Information Delivery
Verisign Public
…AND CHALLENGING
77
Public Cloud91%
SaaS89%
On Premise Virtual Server
85%
On Premise Private Cloud
81%
On Premise Physical Server
77%
ALL FIVE
59%
Diverse Application Environments +
GROWING
DIVERSITY
OF ACTORS
& ATTACKS
State-sponsoredCyber Spies
Hacktivists
Cyber Criminals
Zero-day Vulnerabilities
Growing Threat Landscape
Increasing DDoS & Multi-vector Attack Volume
Attacks to DNS, HTTP/HTTPS, NTP/SNMP
Source: Riverbed Technology, December 2014
Verisign Public
Verisign Public
GROWTH OF CLOUD ENVIRONMENTS
8
Source: Cisco Global Cloud Index Source: Rightscale 2014 State of Cloud Survey
More to protect – increased attack surface
Verisign Public
0
50
100
150
200
250
2013 2014 2015 2016 2017 2018
Cloud Data Center Traditional Data Center
Insta
lled
Wo
rklo
ad
s i
n M
illi
on
s
47%
53%
22%
78%
14% CAGR2013 - 2018
No Plans4%
Single public13%
Single private9%
Multiple private 11%
Multiple public 15%
Hybrid cloud48%
Multi-Cloud74%
Enterprise Cloud Strategy1000+ Employees
Verisign Public
HOW DO WE SECURE ALL OF THIS?
9Verisign Public
Verisign Public
WHAT IS A DDOS?
10
Attacker compromises vulnerable systems
IRC/Web Controller
Attacker Unsuspecting Users Victim
Botnet
Attacker uses controller to activate botnet Causing the botnet to
attack victim…
Bringing victim down.
Verisign Public
Verisign Public
HOW EASY IS IT TO “DDOS” SOMEONE?
• The increasing availability of DDoS-for-hire
services
• DDoS-for-hire capabilities have advanced in
both success and popularity
• Some can be hired for just $5 USD an hour
• DDoS-for-hire services have become
remarkably skilled at working under the radar
11Verisign Public Source: Verisign Q414 DDoS Trends Reports
Sample Service Pricing (USD)
Verisign Public
RISE OF DD4BC (“DDOS FOR BITCOIN”)
• Small attacks and ransom requests
• TCP SYN or UDP attacks, (SSDP and NTP
floods) 1-5 Gbps for less than an hour
• Initially targeted Bitcoin exchanges, online
casinos and gaming sites
• Then moved on to financial institutions, e-
commerce, & online travel organizations
• Has inspired other DDoS extortion groups
12Verisign Public Source: Verisign iDefense Cyber Trends Report
Verisign Public
TREND 1: ENORMOUS SCALE OF ATTACK
Bad guys always have more bandwidth than you
13Verisign Public
DDoS Attack Size Over Time
2.5 10 17 2440 49
75100+
150+
300
500
0
50
100
150
200
250
300
350
400
450
500
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Ba
nd
wid
th in
Gb
ps
Average Size > 6Gbps
Sources
DDoS attack data based on DDoS mitigations performed by Verisign and various online media sources
300Gbps attack: http://blogs.verisigninc.com/blog/entry/verisign_mitigates_300_gbps_ddos
500Gbps attack: http://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-cyber-attack-in-history-has-been-hitting-hong-kong-sites/
Verisign Public
DDOS TRENDS – PEAK ATTACK SIZE
14
Peak Attack Sizes by % of Mitigations Peak Attack Size by Top Verticals (Gbps)
38%
30%
14%
18%
< 1 G
1G - 5G
5G - 10G
>10G
270
80
300
90
65
50
Financial Services IT Services / Cloud/ SaaS
Media /Entertainment
E-commerce /Online Advertising
Telecom & Others Public Sector
Verisign Public Source: Verisign Q415 DDoS Trends Reports
Verisign Public
• IT/Cloud/SaaS
popular target
• 75% of attacks
DNS, SSDP and
NTP
TREND 2: MORE WIDESPREAD
15Source: Verisign Q315 & Q415 DDoS Trends Reports
Q3 2015
29%
26%
15%
13%
12%
5%
33%
30%
15%
10%
8%4%
IT Services / Cloud / SaaS
Media & Entertainment / Content
Financial
Public Sector
Telecom
E-Commerice / Online Advertising
Q4 2015
Verisign Public
Verisign Public
TREND 3: MORE COMPLEX
16Verisign Public
14%
37%
42%44%
Don’t know/not sure
Multi-vector Applications Volumetric
Base: 59 US and UK IT decision-makers at 500+ employee companies at
organizations that have been hit by a DDoS or DNS-based attack within the last year,
2013-2014 Forrester Study
Multi-Vector AttacksAttack Complexity Vs Automation Mitigation
Verisign Public
• Founded in 1995, listed NASDAQ:VRSN 1998
• Two Businesses:
• Domain Name Services
• Network Intelligence and Availability
• Headquartered in Reston, VA
• 2012 Revenues: $874 million
• S&P 500 Company
• 1,100 Employees
• VerisignInc.com
Our CompanyTHANK YOU!
Rohit Kinra
linkedin.com/in/rohitk/
+1 703-948-4048
@rohitkinra
End to end security
Justin Fitzhugh Fawad Shaikh
VP, Technical Operations Technical Leader, Security
Instart Logic Overview
• We make websites fast, secure, and easier to operate
• Raised $140M to date, 500+ Enterprise Websites using our
service, and sales growth of 3x in 2015
• 80+ patents in performance and security with team from
Google, Twitter, Akamai, Cisco, VMware and others
Strategic InvestorsKey Customers
Recent Awards
20 | Confidential and proprietary
Performance Security
Traditional model of hardware and
appliances are moving to the cloud
Performance and security solutions are
converging
CDNs started out predominantly focused
on performance, but are expanding into
security
One streamlined solution versus multiple
boxes
End to end protection from the client to
the cloud to the origin
Site performance and security are converging
Web Application
Internet/CDNWeb Browser
Traditional web applications were single ended
HTML
Today’s applications are a mash-up
Web Browser
3rd Party Services
Internet/CDNExternal Code HTML
Vulnerabilities are exposed along the entire content delivery path
23 | Confidential and proprietary
3rd Party Services
• Malware
• Ad blockers
• Bot scrapers
Internet/CDN
Threats • Man in the middle
• DDoS
• Vulnerability mistakes
• 3rd party software
Web Browser
External Code HTML
DDoS attacks are becoming larger across our network
24 | Confidential and proprietary
Attacks of all sizes cause site disruption
25 | Confidential and proprietary
Site goes down
Typical “Large” Volumetric
Attack
Site slows down
Typical Layer 4-7
Attack
Offline Loading…
Site Disturbance =
Lost Revenue
Security needs to be layered across content delivery path
26 | Confidential and proprietary
3rd Party Services
• Malware
• Ad blockers
• Bot scrapers
Threats • Man in the middle
• DDoS
• Vulnerability mistakes
• 3rd party software
Internet/CDN
• Web Application Firewall
• Type checking
• Vulnerability scanners
• HTTPS
• Software Resource Integrity
• Encrypted CDN
• DDoS Mitigation
• Bot protection
• Enpoint securityMitigation
Web Browser
External Code HTML
27 | Confidential and proprietary
Internet
3rd-Party Services
Browser
Transit
Cloud/Origin
Transit
Optimization
Secured
Content/Code Loaded:1) Nanovisor
Instart Logic provides layered protection end-to-end
Web BrowserExternal Code HTML
Nanovisor.js
2) Origin
3) 3rd-party
4) Local (extensions)
Example 1 – Travel Site
• Suspected DDOS attack
• Large number of unique visitors requesting
significantly higher number of resources than
standard
28 | Confidential and proprietary
Issue
• Homepage was updated to include “Hot Deals”
– Additional intensive call to database for each request
– Deals were updated every few minutes
Analysis
Outage
Traffic coming from everywhere
Site slowed down to the point that it was
unusable for end users
• Cached homepage for non-authenticated users for 1 min• Hot Deals were always fresh• Authenticated users presented customized homepage• Reduced origin load while improving overall performance
Mitigation
Example 2 – eCommerce Site
• Scraper utilizing TOR made 20 requests/second
cumulative across all IP addresses
• Requests targeted search functionality and consumed
high amount of database resources
29 | Confidential and proprietary
Issue
• Scraper migrated to BotNet of 80K+ endpoints
– WAF signature detected and blocked attacks from
new endpoints automatically
– Created additional WAF signatures to ensure
coverage in case of additional scraper mutation
Loading…
Not a high volume attack
Analysis
Mitigation
• Blocked the TOR exit node IP addresses
– Analyzed traffic patterns to find common signatures
– Created WAF signature based rules to detect new
requests
Database
overload and site
instability
Thank you!
linkedin.com/in/justinfitzhugh
+1 650-870-9945
Justin Fitzhugh
linkedin.com/in/fawadshaikhatl
+1 404-939-5082
Fawad Shaikh
@Jfitzhugh
Q&A
linkedin.com/in/justinfitzhugh
+1 650-870-9945
Justin Fitzhugh
linkedin.com/in/fawadshaikhatl
+1 404-939-5082
Fawad Shaikh
@jfitzhugh
linkedin.com/in/rohitk/
+1 703-948-4048
@rohitkinra
Rohit Kinra